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What is claimed is: 



1 . A directory server comprising: 

at least one role, said role defined as an entry grouping mechanism, wherein a role 
5 is uniquely defined by distinguishing name (DN) of its defining entry. 

2. The directory server as in claim 1, wherein the defining entry is nsRole, which 
comprises one or more distinguishing names. 

10 3. A methqd of grouping a plurality of entries in a directory server, the method 
comprising the step of: 

assigning lat least one role to a first entry, said at least one role being an entry 
grouping mechanism defined by distinguishing name of its defining entry. 



15 4. The method as iyfc^im 3, whereinjthe defining entry is nsRole, which comprises 
one or more distinguishing names. 



5. A method foil searc^mg^an entry in a directory server, the directory server storing 
,\|j / least one^of the plurality of entries possessing at least one role, 



20 



said role being a q/^f ~ — 



25 



a plurality of entries,| 

iry_groupin^ mechanism defined by distinguishing name of its 
defining entry, the method comprising the steps of: 

receiving a request to enumerate role membership for a particular role; 
comparing a plurality of entries stored in the directory server by checking a 
predetermined role attribute for the particular role; and 
returning the result of the comparison. 



6. The method of claim 5, further comprising the step of: 

assigning at least onk role to a first entry in the directory server, said at least one 
role being an entry grouping mechanism defined by distinguishing name of its defining 
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fentry. 

7. \\ A data processing system for searching for checking entries in a directory server 
for rqle membership, the system comprising: 
a CPU; 

memory coupled to the CPU, the memory storing a directory comprising a 
plurality entries, each said entry being associated with a role containing a predefined 
role attribute; 

wherein th^ memory\tores a search program which is executable by the CPU to 
check role membership ly searching the predefined role attribute; x and 
to return the result of the search if any entries possess the role. 




ff^ 8. In a directory system comprising^ 'client computer configured to execute 

SJ applications to perform membership verification- in a directory communicatively coupled 

% 15 to a server computer, \the^direcj^ storing a plurality of entries, a method of 

^ reducing client-side complexjctyin searching for a particular entry, the method comprising 

fH the steps of: 

fi{ configuring^tfe server computer to assign at least one role to a subset of the 

Q plurality of entries, said at least one role being an entry grouping mechanism defined by 

20 distinguishing name of its defining entry. 

9. A computer program product comprising a computer readable medium having 
computer readable code embodied therein for processing data in a directory server by: 

receiving a request for enumerating role membership for a particular role; 
comparing a plurality of entries stored in the directory server by checking a 
25 predetermined role attribute; and 

returning the result of the comparison. 

10. The method of claim 9, further comprising the step of: 

providing a set of expressions and boolean operations for use in a directory 
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search. 



11. The method of claim 10, wherein the expressions comprise any one or more of 
operands connected by the operators, 



equal \ 

\ 

contains 

10 sounds like' 

greater or equal 
less or equal 
negation 
and 
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or 




where an instance of the attribute exactly 
matches the value; 

* whichisiised as a wild card to allow presence check 
or partiakmatches; 

used in name searches; 
i-used for numerical comparisons; 
which is usecTfor numerical comparisons; 
wluch^is"used to negafe^any expression; 
& which is used to combine two expressions; and 
I which is used to select from two expressions. 



12. A rifethod for use in connection with application and network services to provide 
a directory service ttiat defines roles for directory members, the method comprising the 
steps of: 



\ 



defining a directory search specification for a role based on user attribute 
information, where said role can be possessed by any set of members and in which roles 
possessed by users are defined by the directory search specification; 

evaluating said directory search specification at service delivery time; 

determining whether information maintained in a directory matches said directory 
search specification; and 

delivering said service. 



13. The method of claim 12, further comprising the step of: 

providing a set of expressions and boolean operations for use in a directory 
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search. 



ltt. The method of claim 13, wherein the expressions comprise any one or more of 
operands connected by the operators, 

= where an instance of the attribute exactly 
matches the value; 

* which is used as ^wiMcardlo' allow presence check 
or partial matches^ 
which is usecHh jiamesearches; 
whicfi4s^us£d for numer/cal comparisons; 
whidh is us&d-for nujH6rical comparisons; 
which is used to negate any expression; 
& which is used to combine two expressions; and 
I which is used to select from two expressions. 



15. A method^of^onfiguring a directory server comprising a plurality of entries, the 
methodc^mprising^e^steps of: 

/defining a computed attribute for an entry; 
assigning a valufeto the computed attribute, whereby said entry is capable of being 
tms that have the same or a similar value for the computed 




grouped with other en 
attribute; and 



configuring the directory server software to perform search operations, thereby 
reducing complexity in a client program that accesses the directory server. 



16. The method of claim 15, further comprising the step of: 



providing a set of expressions and boolean operations for use in a directory 



search. 
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17. The method of claim 16, wherein the expressions comprise any one or more of 
operands connected by the operators, 



equal 



contains 




= where an instance of the attribute exactly 
matches the value; 

* which is used as a wild card to allow presence check 
or partial matches; 
~= which is used in name searches; 
>= which is used foptfumerical comparisons; 
10 less or equal ^hiqh is u^d for numerical comparisons; 

whiclyfKised to negate any expression; 

whic^is s used to combine two expressions; and 
1 which is used s to^select from two expressions. 



15 18. A method of pomputing^which roles an entry possesses, said method comprising 
the steps of: 

validating that the entry meets the criteria to possess a role; and 
deterauning that the entry falls within the scope of the role. 



20 19. A method of determining all roles possessed by an entry in a directory system, the 
method comprising the steps of: 

examining a computed\ttribute associated with the entry for a list of values of the 
computed attribute, and \ 

enumerating each value, which is a distinguishing name (DN) representing a role 
25 possessed by that entry. 



20. The method as in claim 21, wherein the computed attribute is nsRole. 



21. A method of obviating the need to examine all groups in a directory system in 
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order to detenkine the roles possessed by an entry, the method comprising the steps of: 
configuring the directory system to contain roles; and 

returning^ list of computed values of a computed attribute belonging to the entry, 
whereby all the roles possessed^by-the^entry are obtained. 




22. The method as in claim 21, wherein the computeffatfribute is nsRole. 



10 



15 



23. In a directory system comprising^ plurality of entries and a plurality of roles 
possessed by the plurality o\ entries; a method of enumerating the membership of a 



desired role, the method comp 
locating all roles th; 
iterating over the in 

role; 

adding, £o an attribute's value set, the distinguishing names (DNs) 



the steps of: 

scope with an entry that possesses the desired role; 
oles looking for the entries that possess the desired 



iof those entries that possess the desired role. 
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